Module org.elasticsearch.security
Class TransportDelegatePkiAuthenticationAction
java.lang.Object
org.elasticsearch.action.support.TransportAction<DelegatePkiAuthenticationRequest,DelegatePkiAuthenticationResponse>
org.elasticsearch.action.support.HandledTransportAction<DelegatePkiAuthenticationRequest,DelegatePkiAuthenticationResponse>
org.elasticsearch.xpack.security.action.TransportDelegatePkiAuthenticationAction
public final class TransportDelegatePkiAuthenticationAction
extends HandledTransportAction<DelegatePkiAuthenticationRequest,DelegatePkiAuthenticationResponse>
Implements the exchange of an
X509Certificate chain into an access token. The certificate chain is represented as an array where
the first element is the target certificate containing the subject distinguished name that is requesting access. This may be followed by
additional certificates, with each subsequent certificate being the one used to certify the previous one. The certificate chain is
validated according to RFC 5280, by sequentially considering the trust configuration of every installed PkiRealm that has
PkiRealmSettings#DELEGATION_ENABLED_SETTING set to true (default is false). A successfully trusted target
certificate is also subject to the validation of the subject distinguished name according to that respective's realm
PkiRealmSettings#USERNAME_PATTERN_SETTING.
IMPORTANT: The association between the subject public key in the target certificate and the corresponding private key is not
validated. This is part of the TLS authentication process and it is delegated to the proxy calling this API. The proxy is trusted
to have performed the TLS authentication, and this API translates that authentication into an Elasticsearch access token.-
Field Summary
Fields inherited from class org.elasticsearch.action.support.TransportAction
actionName, taskManager -
Constructor Summary
ConstructorsConstructorDescriptionTransportDelegatePkiAuthenticationAction(ThreadPool threadPool, TransportService transportService, ActionFilters actionFilters, AuthenticationService authenticationService, TokenService tokenService, SecurityContext securityContext) -
Method Summary
Modifier and TypeMethodDescriptionprotected voiddoExecute(Task task, DelegatePkiAuthenticationRequest request, ActionListener<DelegatePkiAuthenticationResponse> listener) Methods inherited from class org.elasticsearch.action.support.TransportAction
execute, executeDirect, localOnly
-
Constructor Details
-
TransportDelegatePkiAuthenticationAction
@Inject public TransportDelegatePkiAuthenticationAction(ThreadPool threadPool, TransportService transportService, ActionFilters actionFilters, AuthenticationService authenticationService, TokenService tokenService, SecurityContext securityContext)
-
-
Method Details
-
doExecute
protected void doExecute(Task task, DelegatePkiAuthenticationRequest request, ActionListener<DelegatePkiAuthenticationResponse> listener) - Specified by:
doExecutein classTransportAction<DelegatePkiAuthenticationRequest,DelegatePkiAuthenticationResponse>
-